Skip to content

Governance, Risk and Compliance (GRC) Best Practices

What is Governance, Risk and Compliance?

Governance, Risk and Compliance, also known as GRC, is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.

Why is GRC so important?

Every organization is now a data organization. The volume of data every organization holds is growing exponentially every year with a growth rate of 23% from 2020-25 [1].

Here are some stats for you:

  • 57% of senior-level executives rank “risk and compliance” as one of the top two risk categories they feel least prepared to address. [2] 
  • 62% of organizations have experienced a critical risk event in the past three years. [2]
  • 65% of organizations are operating “reactive” or “basic” policy management programs (as opposed to maturing or advanced). [2]
  • Less than three-quarters (69%) of organizations are leveraging technology to support their compliance initiatives. [2]

So, what are our top tips for GRC?

When it comes to implementing a GRC strategy or starting to use related tools and processes, there are many potential pitfalls, so here are some top tips on what to expect and some lessons learned from businesses who have been down that road already:

Do your research

Make sure you understand what you are buying if you are purchasing a product to manage GRC, because if it doesn’t completely do what you are expecting of it, you will be wasting money and creating extra work for yourselves doing something that is meant to minimize expenditure and workload. Most of all, understand what GRC represents and what the impacts of it will be, as well as what needs to be put into it to get the right results out of it.

Take an iterative approach

There is no way to get it 100% right the first time out as there are too many factors and stakeholders involved, opening the likelihood of needing to revise and revisit aspects repeatedly. So, it’s best to plan ahead for this, especially given the nature of risk and compliance, both of which need to be monitored and revisited on a regular basis.

Work collaboratively

Your project team for GRC implementation needs to be a diverse one in terms of representing a variety of crucial roles (ranging from senior to more junior), otherwise the decisions made will not be representative and may not achieve everything they are intended to achieve. It also ensures that developments are communicated around everyone who needs to know and avoids work being duplicated, which is one of the main points of introducing GRC in the first place, of course.


Good communication across the business is critical to avoid colleagues misunderstanding the nature of GRC and what it is being brought in to achieve. This is especially important when it comes to the areas of the business where workflows will be directly affected, particularly those where there might be staff changes to reflect the more streamlined approach. GRC is meant to be a positive step in the right direction, but poor internal communications can turn it into a potential and completely unnecessary problem.

Audit your policies and put them into practice

Rather than treating your policies as a task checklist, formulate them. Policies are the guide to how people in the business should manage and handle data – but don’t leave them as paper-based policies. Look at how to turn those policies into practice so they remain front and center. Constantly monitor and periodically review your policies to ensure you safeguard your organization.

Prepare and provide the right resources

Another potential issue could be that a GRC solution is seen as an easy win when it comes to cutting costs and so the right financial and staffing resources aren’t put into place to manage it at the early stages. As well as making sure these resources are available, the planning needs to be in place for how to properly utilize them.

How can NOW Privacy help with your GRC?

NOW Privacy, formerly Exonar Reveal, allows organizations to manage their full data estate in one single view. Find unprotected risky and sensitive information across all your structured and unstructured data instantly. From billions of items to the one you need in seconds. NOW Privacy provides an insurance policy for your organization's data. Think Google for the enterprise.

To find out more about how Vertical Intelligence with NOW Privacy can help, why not take a test drive on up to 1TB of your data. Schedule your proof of concept with


[1] Data Creation and Replication Will Grow at a Faster Rate than Installed Storage Capacity, According to the IDC Global DataSphere and StorageSphere Forecasts

[2] Why GRC Matters: 50 Risk & Compliance Statistics - Quantivate

Vertical Intelligence Insights

Please fill out the form and someone from our team will be back to you within 48 hours

Get in Touch